Whilst we’ve spoken about cyber security for a long time, do organisations really understand it and its impact across their organisations? The evidence seems to point to “no” or perhaps it’s more “not fully”. While cybercrime has risen up the business agenda, the recent ransomware attacks that shook organisations across Europe – including the NHS – are a prime example of how organisations still have a long way to go to ensuring a safe professional and personal environment. From phishing emails all the way up to mass-scale data breaches, it’s becoming ever clearer that the maturation of the digital industry has brought its own set of unique challenges and businesses are not quite there when it comes to addressing the cybercrime challenge.
What’s promising to see from a recent report is that three in five (58 percent) businesses have sought information, advice or guidance on the cyber security threats facing their organisation over the past year. In addition, three quarters (75 percent) of those consulting Government sources say they found this material useful, with many considering the Government as a trusted source to provide or signpost to information and guidance. Following the Government’s pledge to commit £1.9bn towards battling cybercrime, and to educating and training cyber security experts of the future, it’s encouraging to see how organisations of all shapes and sizes are taking on board the urgency of protecting themselves from potential attacks. In doing so, this helps cyber security become a national priority. After all, as the UK continues to navigate through unchartered waters, all organisations are equally responsible for ensuring that the UK remains one of the safest places to do business.
Although educating, funding and training businesses on combatting cybercrime should not be overlooked, there is still a need for regulations which hold organisations accountable for security breaches caused by outdated security. As we’ve seen an unprecedented number of record-breaking fines when a company has been subjected to a data breach or cyber-attack, making an example of these companies by enforcing financial penalties is exactly what the new General Data Protection Regulation (GDPR) will look to implement.
As such, it has never been more important for organisations to have the people, technologies and processes in place to support them in their approach to cyber security. Looking at the growing technology trends, here are four key examples of areas of vulnerability businesses are facing today and some common practices that can be put in place to help avoid attacks:
1. Poor or outdated routine IT practices will cause unavoidable harm to businesses
Cyber security problems organisations generally face are not necessarily the result of new cyber-attack techniques or malicious insiders, but tend to result from those who fail to manage the vital housekeeping tasks.
Each business has its own responsibility to ensure that the training and education of people is relevant and appropriate and means something for their job function. It is now too important for the cyber security training to simply be seen as a necessary tick box within an organisation; employees are key to the defence of an organisation and need to be educated as such.
2. Cyber security should be a necessary pillar of ‘smart cities’
Whilst ‘smart cities’ undoubtedly provide organisations with unprecedented economic opportunities, businesses will also be confronted by potential cyber threats due to the significant increase in the number of interconnected devices.
Although the thought that ransomware could take out a city of ‘smart’ connected traffic lights would have seemed unfeasible a year ago, these sorts of attacks are becoming more common. And the attack on a power grid in Ukraine is just one example of this. By taking an entire city’s substations offline – which left thousands of residents without power – the attack was an example of how we’re entering a new sector vulnerable to cybercriminal.
Although attackers may not try to exploit weaknesses in connected cities, they may look to install ransomware in a critical part of the infrastructure. As this will mean these platforms will need to be controlled, the governance around the management of those control platforms will be vital. This includes the security controls of the supply chain involved in the delivery and control of any part of the ‘smart’ city we’re now connecting.
3. Mobile attacks continue to be cybercriminals cash cow
With Statista predicting the share of monthly active smartphone users to reach over 80% of the total population by 2021, it’s no secret that the escalating use of smart devices for personal and business data makes mobile platforms a treasured target to cybercriminals. Despite the fact many organisations are now moving on from legacy operating systems that have been frequently targeted for their vulnerabilities, attackers will continue to look for new ways of attacking mobile platforms with ransomware demanding payment for the return or decryption of personal data.
Businesses should be making mobile device management a priority by enhancing mobile device management with robust security controls. For example – mobility champions should decide what types of corporate data approved work devices can share, then determining the most effective security measures for protecting the data on those devices.
4. Organisations which lack adequate protection have a blind spot
The last couple of years saw a rise in attacks against enterprises using Microsoft PowerShell, with a Carbon Black report revealing that Microsoft’s configuration management framework was tied to more than a third of all cyber-attacks. A framework and scripting language installed by default on all Windows computers enabled attackers to take advantage of those organisations which lack adequate protection from malicious use. For example, frequently used by penetration test teams, tools such as PowerShell Empire are also used by attackers to dodge the perimeter, create backdoors and then move laterally around a network. Which is why being part of the Windows system makes it easier for attackers to use it as part of their attack cycle, but more difficult for network defenders to identify malicious use.
Looking ahead, organisations should be re-evaluating their monitoring capabilities, logging levels and also working to identify what known good scripts are in use across their networks to have the ability to detect malicious attacks where possible.
Ollie Hart, Head of Vendor Alliances, Enterprise and Cyber Security EMEIA, Fujitsu
Image Credit: Everything Possible / Shutterstock